Find out how to request your personal information

Share this page

Can I access my personal information?

You have the right to get a copy of the information that is held about you. This is known as a subject access request.

This right of subject access means that you can make a request under the Data Protection Act to any organisation processing your personal data. The Act calls these organisations ‘data controllers’.

You can ask the organisation you think is holding, using or sharing the personal information you want, to supply you with copies of both paper and computer records and related information.

Organisations may charge a fee of up to £10 (£2 if it is a request to a credit reference agency for information about your financial standing only).

There are special rules that apply to fees for paper based health records (the maximum fee is currently £50) and education records (a sliding scale from £1 to £50 depending on the number of pages provided).

However, it is important to remember that not all personal information is covered and there are ‘exemptions’ within the Act which may allow an organisation to refuse to comply with your subject access request in certain circumstances.

Can I access personal information about my child?

Information about children may be released to a person with parental responsibility. However, the best interests of the child will always be considered.

Even if a child is very young, data about them is still their personal data and does not belong to anyone else. It is the child who has a right of access to the information held about them.

Before responding to a request for information held about a child, organisations should consider whether the child is mature enough to understand their rights. If the organisation is confident that the child can understand their rights, then it will respond to the child rather than the parent. What matters is that the child is able to understand (in broad terms) what it means to make a subject access request and how to interpret the information they receive as a result of doing so.

Can I access personal information on someone else’s behalf?

The Data Protection Act does not stop you making a request on someone else’s behalf. This is often necessary for a solicitor acting on behalf of a client, or it could simply be that an individual wants someone else to act for them.

In these cases, the organisation will need to satisfy itself that the third party making the request has the individual’s permission to act on their behalf. It is the third party’s responsibility to provide this evidence, which could be a written authority to make the request, or a power of attorney.

If a person does not have the mental capacity to manage their own affairs and you are their attorney, for example you have a Lasting Power of Attorney with authority to manage their property and affairs, you will have the right to access information about the person you represent to help you carry out your role. The same applies to a person appointed to make decisions about such matters:

In England and Wales, by the Court of Protection;

In Scotland, by the Sheriff Court; and

In Northern Ireland, by the High Court (Office of Care and Protection).

Further Reading

How do I make a request?

1) Plan ahead

It will save you time if you do the following before writing your request:

Find out the right department and the right person to send the request to. Calling an organisation’s helpline or checking their privacy notice or policy on their website may help you find this out.

Check about the costs and fees in advance.

Make sure you know all the information you need. Organisations are entitled to charge a fee for every request, so you may have to pay another fee to get information you have not included in your original request.

2) Write to the organisation

When requesting your personal information from an organisation, you should include the following information:

your full name, address and contact telephone number;

any information used by the organisation to identify or distinguish you from others of the same name (account numbers, unique ID's etc);

details of the specific information you require and any relevant dates, for example:- your personnel file;- emails between ‘A’ and ‘B’ (between 1/6/11 and 1/9/11);- your medical records (between 2006 & 2009) held by Dr ‘C’ at ‘D’ hospital;- CCTV camera situated at (‘E’ location) on 23/5/12 between 11am and 5pm; - copies of statements (between 2006 & 2009) held in account number xxxxx .

It may also be helpful to include:

a reference to the 40-day deadline that applies when dealing with requests to provide personal information;

a reference to the Data Protection Act 1998 and subject access requests; and

reference to the assistance that the Information Commissioner’s Office can provide.

You also have the right to ask about any logic involved in any automated decisions made about you.

Alternatively, you may wish to use the template below:

[Your full address][Phone number][The date]

[Name and address of the organisation]

Dear Sir or Madam

Subject access request

[Your full name and address and any other details to help identify you and the information you want.]

Please supply the information about me I am entitled to under the Data Protection Act 1998 relating to: [give specific details of the information you want, for example

CCTV camera situated at (‘E’ location) on 23/5/12 between 11am and 5pm;

copies of statements (between 2006 & 2009) held in account number xxxxx).]

If you need any more information from me, or a fee, please let me know as soon as possible.

It may be helpful for you to know that a request for information under the Data Protection Act 1998 should be responded to within 40 days.

If you do not normally deal with these requests, please pass this letter to your Data Protection Officer. If you need advice on dealing with this request, the Information Commissioner’s Office can assist you and can be contacted on 0303 123 1113 or at ico.org.uk

Yours faithfully[Signature]

Further Reading

3) Keep copies and proof of receipt

It is best to send your request by recorded delivery or by email, and you should keep a copy of the request and all other correspondence. This will be important as evidence if you need to complain to the Information Commissioner’s Office that the organisation has not given you the information you think you are entitled to.

Do I have to make the request in writing?

A request sent by email or fax is as valid as one sent in hard copy. You can also make a valid request by social media, for example via an organisation’s Facebook or Twitter account, although it may be impractical for the organisation to use this same method to supply information to you.

If you find it impossible or unreasonably difficult to make a request in writing, an organisation may have to make a reasonable adjustment for you under the Equality Act 2010 (or Disability Discrimination Act 1995 in Northern Ireland). This could mean, for example, that the organisation has to consider treating a verbal request for information as if it was a valid subject access request.

What can I expect from the organisation?

How should an organisation respond to my request?

The organisation has to reply within 40 days, starting from the day they receive both the fee and the information they need to identify you and the information you need. A credit reference agency must reply within seven days to a request for a credit file.

If an organisation reasonably needs more information to help them find your information or identify you, they have to ask you for the information they need. They can then wait until they have all the necessary information as well as the fee before dealing with your request.

The organisation should give you the information in writing but they need not do this if it is not possible, if it takes ‘disproportionate effort’ or if you agree to some other form, such as seeing it on screen. The Act does not define what disproportionate effort means but we think the following should be taken into account:

the cost of giving you the information;

the length of time it will take;

how difficult it will be;

the size of the organisation; and

the effect on you of not having the information in permanent form.

What can I expect if I have rights under the Equality Act 2010 (or Disability Discrimination Act 1995 in Northern Ireland)?

Under equality law an organisation has a duty to make sure that its services are accessible to all service users. You can request a response in a particular format that is accessible to you, such as Braille, large print, email or audio format.

If you think that an organisation has failed to make a reasonable adjustment, you can make a claim under the Equality Act (or Disability Discrimination Act in Northern Ireland).

What should an organisation send me?

You are entitled to be told if any personal information is held about you and if it is, to be given:

a copy of the information in permanent form;

an explanation of any technical or complicated terms;

any information the organisation has about where they got your information from;

a description of the information, the purposes for processing the information and who the organisation is sharing the information with; and

the logic involved in any automated decisions (if you have specifically asked for this).

Can the organisation withhold any information?

Yes. There are some circumstances where the information you have asked for contains information that relates to another person. Unless the other person gives their permission, or it is reasonable in all the circumstances to provide the information without permission, the organisation is entitled to withhold this information.

The Act covers personal information that:

is held, or going to be held on computer;

is in, or going to be in, a manual filing system that is highly structured so that information about you can be easily retrieved;

is in most health, educational, social service or housing records; or

is other information held by a public authority.

What can I do if the organisation does not respond?

If more than 40 calendar days have passed since you made your request, we advise you write to the organisation to remind them of your request and their obligations under the Data Protection Act. We recommend you send any correspondence by recorded delivery.

Here is a template letter you may use:

[Your full address][Phone number][The date]

[Name and address of the organisation]

Dear Sir or Madam

Non response to a subject access request

I am writing further to my letter of [date] in which I made a subject access request, because I have not received any response from your organisation.

As the statutory time limit for responding to my subject access request (40 days) has now expired, I would be grateful if you could provide a response as soon as possible.

If I do not receive a response from your organisation within 14 days, I will report this matter to the Information Commissioner’s Office (ICO)

You can find advice on the ICO’s website on how to deal with a subject access request [ico.org.uk/sar] and information on their powers and the action they can take [ico.org.uk/action] or call them on 0303 123 1113.

*If there is anything you would like to discuss, please contact me on the following [telephone number].

Further Reading

What can I do if I believe the organisation has not sent me all the information I am entitled to?

If you feel the organisation has withheld some of your personal information, we recommend you contact them with your concern. Make sure you state the information you think is being withheld.

Here is a template letter you may use:

[Your full address][Phone number][The date]

[Name and address of the organisation][Reference number (if provided within the initial response)]

Dear […]

Subject access request

Further to my letter of [date] in which I made a subject access request, I would now like you to revisit the way you handled my request.

I requested the following information: [List information]

I received a response from you on [date] from [name of person in the organisation responding]. I have attached a copy of both letters for your information. From the information you have provided and from my reading of the Information Commissioner’s Office website at ico.org.uk, I suspect you have failed to disclose all the relevant information I requested.

I believe that I have not received all the data I am entitled to. I expected to receive any personal data relating to me that may be contained within the following: [List the records that you want the organisation to search and where they might be found, including any relevant dates, for example:

CCTV camera situated at (‘E’ location) on 23/5/12 between 11am and 5pm;

copies of statements (between 2006 & 2009) held in account number xxxxx).]

If you have withheld any information relating to me I would be grateful if you would confirm this and tell me why you consider it appropriate to do so.

If there is anything further you can do to resolve this matter, or further information you can provide, please do so.

As the statutory time limit for responding to my subject access request (40 days) has now expired, I would be grateful if you could provide this information within 14 days.

I must advise you that if I do not receive a satisfactory response from you, I will report this matter to the Information Commissioner’s Office (ICO).

You can find advice on the ICO’s website on how to deal with a subject access request [ico.org.uk/sar] and information on their powers and the action they can take [ico.org.uk/action] or call them on 0303 123 1113.

*If there is anything you would like to discuss, please contact me on the following [telephone number].